In response to the news that Fitness Brand Under Armour has suffered a massive data breach affecting 150 million users, IT security experts commented below.
Terry Ray, CTO at Imperva:
“Most consumers are becoming a bit desensitized to data breaches, which have become common enough to barely make the news. And if one breach makes news, there are ten that don’t. In this case, it’s good that Under Armour detected the breach at all. Many companies fail this first most important step. Secondly, they at least used bcrypt for the passwords which is considerably more compute intensive than sha-1. Unfortunately, using only sha-1 for usernames and email addresses is a problem. For one, there are billions of already decrypted sha-1 hashes freely available on the web and cracking a new one doesn’t take too much effort. This is why Under Armour took the appropriate steps to instruct users to change their passwords both on their site as well as any other site that uses those same usernames or email addresses.
I couldn’t agree more with the need for these users to change their passwords to something difficult to crack. There are plenty of resources online that will help you create an effective password. Anytime a leak of usernames or email addresses is made available, the anti-fraud technologies monitoring for fraudulent and failed logins see major activity spikes with large numbers of login attempts using known passwords and large password dictionaries.”
Evgeny Chereshnev, CEO and Founder at Biolink.Tech:
“150 million hacked accounts is hugely significant, especially because most users use the same pairs of logins and passwords across multiple sites. Hackers will break the weakest point; in this case a fitness tracker database, and they can use this information to access users’ emails, social networks and more.
When users are notified about changing passwords following a breach, more often than not they do so in a predictable way such as adding a 1 or a ! at the end, but these algorithms are known by hackers.They use machine learning and AI too – it’s not like that’s only available to the good guys, right?
Hackers can also match these stolen email addresses and passwords to other known databases of stolen credit card numbers, social security numbers, behavioural data bought from brokers etc. With this aggregated data, hackers can build up a pretty detailed profile of a user.
If these hackers were able to match these stolen login credentials to the users’ actual fitness data, just imagine what could happen. Having this level of data would allow hackers to know that Mr Smith has a very specific and predictable pattern of behaviour. Fitness trackers don’t only track calories and the number of steps a person walks in a day; it also knows where people are and at what time. For hackers wanting to specifically target a certain person, this data is a gold mine.”
Lisa Baergen, APR, MCC, Marketing Director at NuData Security:
“The re-use of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts.
“On the other side, to combat online fraudulent transactions after the account data has been stolen, businesses offering services in the card-not-present (CNP) channel need to identify customers using multi-layered technologies that include passive biometrics. This technology monitors the user’s inherent behavior, making it impossible for hackers to replicate or steal. Leveraging a fully integrated multi-layered security approach that includes passive biometrics is an effective way to make stolen information valueless to the hacker and help stop fraud.”
“For now, anyone who thinks they may have reused their MyFitnessPal password on other sites needs to change each account password and track all account activity carefully.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.